Locky – Ever-evolving Ransomware – Makes its Appearance Again

Locky, the notorious ransomware, is again in the spotlight. A few weeks ago, on August 9, it surfaced with a new campaign called “IKARUSdilapidated.” It then delivered the malware bearing a menacing name – Diablo6[1]. It targeted victims with the old technique – spam emails. Such messages would contain [date].zip or .rar folder attached with a short message “Files attached. Thanks.”

After an unsuspecting user opens the content of the attached file, they would face the destructive power of Diablo6 file-encrypting virus. However, a few days later, the developers decided to send a “backup” to the campaign – another version of the infamous virtual plague – Lukitus malware.

The main difference was that now the virus appended .lukitus file extension instead of .diablo6. On the overall, the mastery of Locky authors does not cease to surprise the virtual community.

Seeking Inspiration from Mythology

Locky becme infamous not only due to its infiltration into multiple medical institutions and companies, but for its references to mythology. The first versions referred Norse deity names, with Odin, Thor emerging, while consecutive versions contained hints to Ancient Egypt: Osiris and Anubis. However, the modus operandi did not differ much.

Speaking of IKARUSdilapidated, its key operation mode does not present any exceptional features. However, the very veneer of the campaign is indeed intriguing. The new malware was spotted targeting specific companies.

More Insidious Technique

Since employees often send the scanned files among each other, Locky developers saw such daily routine as a perfect chance to foist the new version of the malware. Thus, now receiving an email from a colleague with the subject line: “scanned image of [printer type].png” might be a bait instead of a genuine message.

The malware may corrupt an entire server or use an easier option – infiltrate company’s network. On the other hand, if a curious user opens up the message, they might pass the menace to all their contacts unwillingly, which again accelerates the traffic of the virus.

Unfortunately, the number of such attacks was not limited only to these campaigns. Another variant was detected which exclusively targeted French users. Surprisingly, the malware came in the emails supposedly sent from French Post Office. This campaign emerged on August 21 and only terrorized users for 15 hours. It was also associated with laposte.net, a website used by the company.

Researchers have discovered the astonishing number of IP addresses compromised with IKARUSdilapidated – 54,048. They were also able to identify certain epicenters and “routes” of Locky distribution[4]:

UK (via Turkey) – Indonesia

Central and southern Africa

South West US – South America

Countermeasures Against IKARUSdilapidated

As Locky keeps evolving, it reveals more features, and IT experts can gain a better insight at the malware. However, due to its unpredictable behavior, it remains to be a cyber issue. Besides backing up your files and protecting the device with the combination of security tools, you should take note of this advice:

verify the authenticity of the email even after receiving from a supposed official institution

compare the given credentials with the official

look for typos and grammar mistakes

scan the received email attachment and consult with the sender upon opening the attached file

As Locky developers make their ransomware distribution methods more deceptive incorporating elements from daily life communication, you should remain more vigilant as ever before.

Meet Linas Kiguolis, the founder and chief editor of TecoReviews. His interests in latest modern technologies, cyber security, social media led him to study Applied Computer Sciences and Business Informatics. Merging the acquired theoretical knowledge and his passion for IT gadgets shaped TecoReviews. As for the free time, Linas finds peace of mind in immersing himself in robotics and Capoeira sport.